Wired Intelligent Edge

We have an E5412zl as our core switches. It has redundant connection to our E6600 top-of-rack switches, so we have MSTP configured to manage those connections. We then have two E2510 egde switches on another floor and another building.  We also have SonicWall E5500 UTM devices (2 in an HA pair) acting as our firewalls and also as controllers for our SonicPoint WAPs.  One WAP is directly connected to the core switch. And the other is connected to one of the E2510 edge switches. 

 

SonicPoints use some proprietary Layer-2 protocols for controlling and provisioing their SonicPoint WAPs. Since we have deployed the SonicPoints WAPs they have worked great for between a couple hours and a day or two.  They then go into a non-responsive state until they are rebooted.   We have a ticket open with Sonicwall and they are blaming spanning tree.  They want me to "completely disable spanning tree for all ports in the SonicPoint network."   My question is how do I do this?  I have enabled bdu-protection and admin-edge-port for all ports involved, but we are still getting the non-responsive state.   Is there anything else I can do to exclude these ports from STP?  Below are the relevant snippets of the config. Port B1 connects to the WAP, B15-B16 connect to the Sonicwalls, B21 & B23 connect to the E2510 edge switches. VLAN1050 is for the SonicPoint control/provisioning network, and VLAN1051 is the actual guest network.

 

vlan 1050 
   name "SonicPoint" 
   untagged B1,B15-B16 
   tagged B21,B23 
   no ip address 
   exit 
vlan 1051 
   name "GuestWLAN" 
   untagged B2 
   tagged B1,B15-B16,B21,B23 
   no ip address 
   exit 

 

spanning-tree
spanning-tree B1 admin-edge-port
spanning-tree B1 bpdu-protection
spanning-tree B2 admin-edge-port
spanning-tree B15 admin-edge-port
spanning-tree B15 bpdu-protection
spanning-tree B16 admin-edge-port
spanning-tree B16 bpdu-protection
spanning-tree B21 admin-edge-port
spanning-tree B21 bpdu-protection
spanning-tree B23 admin-edge-port
spanning-tree B23 bpdu-protection
spanning-tree config-name "ARB MSTP Config"
spanning-tree config-revision 1
spanning-tree instance 1 vlan 165 201 202
spanning-tree instance 1 priority 3
spanning-tree instance 2 vlan 169 200 204
spanning-tree instance 2 priority 3
spanning-tree bpdu-protection-timeout 300

 

 

 

 

 

 

 

 

#SonicPoint
#Spanningtree
#STP
#MSTP

Hello,

 

spanning-tree  <port-list> bpdu-filter

spanning-tree <port-list> pvst-filter

 

Regards,

 

Antonio

ok...

 

fristly

we must analyz port status**********

Port B1 connects to the WAP

spanning-tree B1 admin-edge-port
spanning-tree B1 bpdu-protection

B15-B16 connect to the Sonicwalls

spanning-tree B15 admin-edge-port
spanning-tree B15 bpdu-protection
spanning-tree B16 admin-edge-port
spanning-tree B16 bpdu-protection

B21 & B23 connect to the E2510 edge switches

spanning-tree B21 admin-edge-port
spanning-tree B21 bpdu-protection
spanning-tree B23 admin-edge-port
spanning-tree B23 bpdu-protection

 

Finally your spanning tree configuration False

SOLUTİONS

have been two port status stp configuration

 

frist  auto edge port 

The auto edge port feature enable by default to automatically distinguish the port network device running spanning tree to other ports listeaning to spanning tree information during 3 seconds

secondly

admin edge port this port status for network device pc.printer,phone etc.

 

you setup all uplink port (sonicwall,edge swtch ,wap) admin edge port status this is false all device port must have auto edge port

and You set all uplink port bpdu protect mode

BPDU protection prevents unwanted BPDUs to enter the spanning-tree domain. It is usually used on ports connected

to devices that do not support spanning-tree. When enabled on a port, BPDU protection will disable the port for a

given period (configurable timeout) if a BPDU is received. In our case the 300s timeout will be used for port

deactivation.

 

finally 2

all uplink port must have auto edge port

and all uplink port must have dont't active bpdu protect mode

 

 

 

 

 

 

I'm not sure I'm understanding your proposed solution. 

 

auto-edge-port is enabled on all ports by default. I've confirmed this by running "show spanning-tree config"

 

I should have mentioned I have also tried bpdu-filtering and that didn't seem to work either. I didn't try pvst-filtering, but I don't have any pvst switches on the network.

 

Also, the E2510's have no spanning tree configuration. 

 

The goal is to exclude ports B1,B15,B16,B21,B23 from all spanning tree operations. What should the settings be for each port.

finally 2

all uplink port must have auto edge port

and all uplink port must have dont't active bpdu protect mode

 

All ports already have auto-edge port enabled

                 | Path      Prio Admin Auto Admin Hello  Root  TCN   BPDU
 Port  Type      | Cost      rity Edge Edge PtP   Time   Guard Guard Flt
 ----- --------- + --------- ---- ---- ---- ----- ------ ----- ----- ---
 B1    100/1000T | Auto      128  Yes  Yes  True  Global No    No    No
 B15   100/1000T | Auto      128  Yes  Yes  True  Global No    No    No
 B16   100/1000T | Auto      128  Yes  Yes  True  Global No    No    No
 B21   1000SX    | Auto      128  Yes  Yes  True  Global No    No    No
 B23   1000SX    | Auto      128  Yes  Yes  True  Global No    No    No

Admin-edge-mode was enabled as a troubleshooting step to fix this issue, but it had no effect.

 

 BPDU protection was just enabled yesterday. The issue existed before and after enabling BPDU protection.  So it does not appear enabling it or disabling has any effect on the issue. bpdu-filter was also enabled and then disabled and the issue continued to occur.

Hi

 
Well i've overlooked your message and pressed "post" but i was in a hurry to go home =)

looking at sonicwall docs they suggest this port config to minimize "sensitive" SDP/SSPP protocols

no lacp
no cdp
power critical
no power-pre-std-detect
spanning-tree xx admin-edge-port
mdix-mode mdix

ok now how those ports could have been blocked by an STP BPDU is beyond my imagination since you've both admin-edge-port + bpdu filter and w/o bpdu-protection/guard

I suspect the problem lies elsewhere...

However

>spanning-tree instance 1 vlan 165 201 202
>spanning-tree instance 1 priority 3
>spanning-tree instance 2 vlan 169 200 204
>spanning-tree instance 2 priority 3

the same priority on both instances it's not a good idea =)

and plese post the following commands outputs

sh span instance ist
sh span instance 1
sh span instance 2
sh span debug-counters ports B1,B15-B16,B21,B23 instance 0
sh span debug-counters ports B1,B15-B16,B21,B23 instance 1
sh span debug-counters ports B1,B15-B16,B21,B23 instance 2

show power bri
show log -r -w

Regards,

Antonio

The attached zip has the requested output from the commands you reqested.  On the log I did notice that time on my switch isn't correct. 

You'll also notice a lot of POE errors due a power issue we had a few weeks ago. We are adding more power supplies to address that.

 

I guess I misunderstood the MSTP instance priority.  I understood that was the priority per instance compared to other switches in the same instance.  So in this case I want this core switch to be the 3 choice for root in both instances.

Hi

>I understood that was the priority per instance compared to other switches in the same instance. 
>So in this case I want this core switch to be the 3 choice for root in both instances.
oh well rather the one who has misunderstood it was me since I assumed that this meant that you wanted
to coalesce each instance root to core in a triangle topology but from "show span" commands I see that you have assigned different root per instance to ToR switches and left core as root only for cist..it's fine

anyway I think that the problem is not related to STP blocking or interfering with WAPs ports during FWD state
given that stp debug counters are OK!
I'm more inclined to think that depends on a problem related to the POE (even not taking into account your logs and mentioned failure) ..try to disable LLDP on those ports and allocating by value (see sonicwall specs for that)

int <port> power-over-ethernet critical
int <port> poe-allocate-by value
no int <port> lldp

Regards,

Antonio

Thanks. 

 

I've already set PoE to critical, but I don't think this is a PoE issue as the issue occured even when the SonicPoints were using their power adapters. 

Umm..i've reread yours logs and may be I was tricked at first glance looking/searching on the wrong direction i.e. for BPDU coming from/to WAP/Sonicwalls

show span ist:

B15   100/1000T 20000     128      Designated Forwarding c09134-41a900
B16   100/1000T 20000     128      Designated Forwarding c09134-41a900
B17   100/1000T 200000    128      Root       Forwarding 001372-485db1
B18   100/1000T Auto      128      Disabled   Disabled

and now from a show span of both msti

B17   100/1000T 200000    128      Master     Forwarding c09134-41a900
B18   100/1000T Auto      128      Disabled   Disabled
B19   100/1000T Auto      128      Disabled   Disabled

notice that port b17 is flagged as master port to and outside MST region (legacy RSTP/STP !?) in both instances and as RP on ist,

now the general stats froms ist

Topology Change Count   : 585
Time Since Last Change  : 5 days

i was foolished by the fact that the topology was stable in the last 5 days and the changes were caused by power outage/tests

 

on the first post you say:

 

"Port B1 connects to the WAP, B15-B16 connect to the Sonicwalls, B21 & B23 connect to the E2510 edge switches"

 

what is attached to b17 ?

could you please post those commands outputs

sh span root-history ist
sh span root-history cst

sh span instance ist
sh span debug-counters ports B17 instance 0
sh span debug-counters ports B17 instance 1
sh span debug-counters ports B17 instance 2

Regards,

Antonio

B17 is an uplink to a telco managed switch that provides a layer 2 metro-ethernet connection to another site. It is set untagged for VLAN 10. 

 

Attached is the output you requested.  Please keep in mind that yesterday I updated the switch software to the latest version (K.15.06) at the recommendation of HP Networking support, but we've already seen one of the WAPs go non-responsive this morning.

>ITCATXCORE1# sh span root-history cst
> Status and Counters - CST Root Changes History
>  MST Instance ID        : 0        
>  Root Changes Counter   : 2          
>  Current Root Bridge ID : 0:000d56-2f6e00   
>
>  Root Bridge ID      Date     Time   
>  ------------------- -------- --------
>      0:000d56-2f6e00 10/09/11 15:35:54
>  32768:c09134-41a900 10/09/11 15:35:22

pay attention to what's in the above output:
the switch with MAC 000d56-2f6e00 with priority 0 (a rapid lookup to oid suggests a Dell Powerconnect gear) has been elected as YOUR CST root..

>sh span debug-counters ports B17 instance0
>  Topology Changes Detected   1          10/09/11 15:35:54
>  Topology Changes Tx         0                          
>  Topology Changes Rx         75         10/09/11 15:38:14
>  Topology Change ACKs Tx     0                          
>  Topology Change ACKs Rx     5          10/09/11 15:36:01
>  TCN BPDUs Tx                5          10/09/11 15:36:01

and its TC/TCN are exchanged/coming from port B17 (it's elected as a boundary port to a legacy (non MSTP) region...well can you guess what this means?
yes ofcourse...a topology change to CST will affect all MSTIs and the CIST =)

If you have only one uplink to the other site I suggest to filter BPDU filter B17 since I think we found who is our possible culprit

Regards,

Antonio

I enabled BPDU filtering on port B17 last night, but we are still having the issue.   As shown below it looks like the device is still fighting to be root.  Any ideas?  If I was to assign the two wireless networks to their own MSTP instance would that exclude the network from the flapping?

 

ITCATXCORE1# sh spanning-tree root-history cst

 Status and Counters - CST Root Changes History

  MST Instance ID        : 0
  Root Changes Counter   : 98
  Current Root Bridge ID : 32768:0024a8-fd4c00

  Root Bridge ID      Date     Time
  ------------------- -------- --------
  32768:0024a8-fd4c00 10/11/11 03:23:19
  32768:0024a8-fde900 10/11/11 03:23:18
  32768:c09134-41a900 10/11/11 03:23:18
      0:000d56-2f6e00 10/11/11 03:23:18
  32768:c09134-41a900 10/11/11 03:23:18
      0:000d56-2f6e00 10/11/11 03:23:18
  32768:c09134-41a900 10/11/11 03:23:17
      0:000d56-2f6e00 10/11/11 03:23:17
  32768:c09134-41a900 10/11/11 03:23:17
      0:000d56-2f6e00 10/11/11 03:23:17

 

Actually, I just looked at the current time and it looks like the switch isn't factoring in the time zone. So, the above root-history changes were all around the time I implemented bpdu-filtering last night.
Still, we had to reboot one of the WAPs this morning.

OK, so things are not so obvious after all =)

may be you can post the following commands:

- on the 5412zl

sh span instance ist
sh span instance 1
sh span instance 2

sh span debug-counters ports A1,A4,C1,D23 instance 0
sh span debug-counters ports A1,A4,C1,D23 instance 1
sh span debug-counters ports A1,A4,C1,D23 instance 2

- on ToR E6600 #1 & #2

sh span instance ist
sh span instance 1
sh span instance 2

both before and after a WAP reboot, plus on ALL 3 switches clear log and than

show log -a

solely after WAP reboot indicating the time when happened

If you can would be nice to have the configurations (purified) of core and ToR switches.

 

Regards,

 

Antonio

Last night we moved all the SonicPoint traffic to a separate switch that has no spanning tree enabled.  By mid morning once of the WAPs went unresponsive again. I believe at this point the problem is SonicWalls and the STP troubleshooting should have been concluded once bpdu-filtering was enabled.  Thanks for your help though.